Enforcing a Segmentation Policy in Co-Existence with a System Firewall

1. A method for processing an input packet at a host device in accordance with firewall rules of a segmentation firewall that enforces a segmentation policy on the host device and that co-exists with a system firewall of the host device, the method comprising: configuring the segmentation firewall in a co-existence mode; receiving a first input packet at the host device; applying permissive segmentation firewall rules of a rule chain of the segmentation firewall executing on the host device to determine if the first input packet meets respective criteria of each of the segmentation firewall rules; responsive to the first input packet meeting criteria specified in one of the segmentation firewall rules, executing a command to exit the rule chain without dropping or accepting the first input packet; responsive to executing the command to exit the rule chain, passing control of the first input packet to the system firewall of the host device to enable the system firewall to determine whether to drop or accept the first input packet; switching operation of the segmentation firewall to an exclusive mode; receiving a second input packet with the segmentation firewall operating in the exclusive mode; applying the segmentation firewall rules of the segmentation firewall to determine whether to drop or accept the second input packet, wherein accepting the input packet provides the input packet to its destination by bypassing the system firewall; and dropping or accepting the second input packet dependent on application of the segmentation firewall rules.

2. The method of claim 1 , further comprising: determining, by the system firewall, whether to drop or accept the first input packet based on security firewall rules associated with the system firewall; dropping the first input packet responsive to the system firewall determining to drop the first input packet; and passing the first input packet to a workload or to a network responsive to the system firewall determining to accept the first input packet.

3. The method of claim 1 , wherein applying the permissive segmentation firewall rules comprises: executing a first jump command of an input module to jump to a chain selection module of the segmentation firewall; selecting, by the chain selection module, a first rule chain of the segmentation firewall; executing, in the chain selection module, a goto command to go to the first rule chain of the segmentation firewall; executing first firewall rules in the first rule chain; responsive to completing execution of the first firewall rules without dropping the first input packet, executing a first return command to return to a first memory location of an instruction of the input module following the first jump command.

4. The method of claim 3 , further comprising: executing a second jump command to a second rule chain of the segmentation firewall; executing second firewall rules in the second rule chain; and responsive to completing execution of the second firewall rules without dropping the first input packet, executing a second return command to return to a second memory location of an instruction of the input module following the second jump command.

5. The method of claim 4 , further comprising: passing, by the input module, the first input packet to the system firewall following the second return command.

6. The method of claim 3 , wherein selecting the first rule chain of the segmentation firewall comprises: determining a packet type of the first input packet; and selecting the first rule chain from a set of selectable rule chains based on the packet type.

7. The method of claim 1 , further comprising: switching operation of the segmentation firewall to a monitoring mode; receiving a third input packet with the segmentation firewall operating in the monitoring mode; applying the segmentation firewall rules of the segmentation firewall and logging results of the application of the segmentation firewall rules without dropping or accepting the third input packet; and storing a log of the results.

8. A non-transitory computer-readable storage medium storing instructions for processing an input packet at a host device in accordance with firewall rules of a segmentation firewall that enforces a segmentation policy on the host device and that co-exists with a system firewall of the host device, the instructions when executed by one or more processors causing the one or more processors to perform steps comprising: configuring the segmentation firewall in a co-existence mode; receiving a first input packet at the host device; applying permissive segmentation firewall rules of a rule chain of the segmentation firewall executing on the host device to determine if the first input packet meets respective criteria of each of the segmentation firewall rules; responsive to the first input packet meeting criteria specified in one of the permissive segmentation firewall rules, executing a command to exit the rule chain without dropping or accepting the first input packet; responsive to executing the command to exit the rule chain, passing control of the first input packet to the system firewall of the host device to enable the system firewall to determine whether to drop or accept the first input packet; switching operation of the segmentation firewall to an exclusive mode; receiving a second input packet with the segmentation firewall operating in the exclusive mode; applying the segmentation firewall rules of the segmentation firewall to determine whether to drop or accept the second input packet, wherein accepting the input packet provides the input packet to its destination by bypassing the system firewall; and dropping or accepting the second input packet dependent on application of the segmentation firewall rules.

9. The non-transitory computer-readable storage medium of claim 8 , wherein the instructions when executed further cause the one or more processors to perform steps including: determining, by the system firewall, whether to drop or accept the first input packet based on security firewall rules associated with the system firewall; dropping the first input packet responsive to the system firewall determining to drop the first input packet; and passing the first input packet to a workload or to a network responsive to the system firewall determining to accept the first input packet.

10. The non-transitory computer-readable storage medium of claim 8 , wherein applying the permissive segmentation firewall rules comprises: executing a first jump command of an input module to jump to a chain selection module of the segmentation firewall; selecting, by the chain selection module, a first rule chain of the segmentation firewall; executing, in the chain selection module, a goto command to go to the first rule chain of the segmentation firewall; executing first firewall rules in the first rule chain; and responsive to completing execution of the first firewall rules without dropping the first input packet, executing a first return command to return to a first memory location of an instruction of the input module following the first jump command.

11. The non-transitory computer-readable storage medium of claim 10 , wherein the instructions when executed further cause the one or more processors to perform steps including: executing a second jump command to a second rule chain of the segmentation firewall; executing second firewall rules in the second rule chain; and responsive to completing execution of the second firewall rules without dropping the first input packet, executing a second return command to return to a second memory location of an instruction of the input module following the second jump command.

12. The non-transitory computer-readable storage medium of claim 11 , wherein the instructions when executed further cause the one or more processors to perform steps including: passing, by the input module, the first input packet to the system firewall following the second return command.

13. The non-transitory computer-readable storage medium of claim 10 , wherein selecting the first rule chain of the segmentation firewall comprises: determining a packet type of the first input packet; and selecting the first rule chain from a set of selectable rule chains based on the packet type.

14. The non-transitory computer-readable storage medium of claim 8 , wherein the instructions when executed further cause the one or more processors to perform steps including: switching operation of the segmentation firewall to a monitoring mode; receiving a third input packet with the segmentation firewall operating in the monitoring mode; applying the segmentation firewall rules of the segmentation firewall and logging results of the application of the segmentation firewall rules without dropping or accepting the third input packet; and storing a log of the results.

15. A computer system comprising: one or more processors; and a non-transitory computer-readable storage medium storing instructions for processing an input packet at a host device in accordance with firewall rules of a segmentation firewall that enforces a segmentation policy on the host device and that co-exists with a system firewall of the host device, the instructions when executed by the one or more processors causing the one or more processors to perform steps comprising: configuring the segmentation firewall in a co-existence mode; receiving a first input packet at the host device; applying permissive segmentation firewall rules of a rule chain of the segmentation firewall executing on the host device to determine if the first input packet meets respective criteria of each of the segmentation firewall rules; responsive to the first input packet meeting criteria specified in one of the permissive segmentation firewall rules, executing a command to exit the rule chain without dropping or accepting the first input packet; responsive to executing the command to exit the rule chain, passing control of the first input packet to the system firewall of the host device to enable the system firewall to determine whether to drop or accept the first input packet; switching operation of the segmentation firewall to an exclusive mode; receiving a second input packet with the segmentation firewall operating in the exclusive mode; applying the segmentation firewall rules of the segmentation firewall to determine whether to drop or accept the second input packet, wherein accepting the input packet provides the input packet to its destination by bypassing the system firewall; and dropping or accepting the second input packet dependent on application of the segmentation firewall rules.

16. The computer system claim 15 , wherein the instructions when executed further cause the one or more processors to perform steps including: determining, by the system firewall, whether to drop or accept the first input packet based on security firewall rules associated with the system firewall; dropping the first input packet responsive to the system firewall determining to drop the first input packet; and passing the first input packet to a workload or to a network responsive to the system firewall determining to accept the first input packet.

17. The computer system of claim 15 , wherein applying the permissive segmentation firewall rules comprises: executing a first jump command of an input module to jump to a chain selection module of the segmentation firewall; selecting, by the chain selection module, a first rule chain of the segmentation firewall; executing, in the chain selection module, a goto command to go to the first rule chain of the segmentation firewall; executing first firewall rules in the first rule chain; responsive to completing execution of the first firewall rules without dropping the first input packet, executing a first return command to return to a first memory location of an instruction of the input module following the first jump command.

18. The computer system of claim 17 , wherein the instructions when executed further cause the one or more processors to perform steps including: executing a second jump command to a second rule chain of the segmentation firewall; executing second firewall rules in the second rule chain; and responsive to completing execution of the second firewall rules without dropping the first input packet, executing a second return command to return to a second memory location of an instruction of the input module following the second jump command.

19. The computer system of claim 18 , wherein the instructions when executed further cause the one or more processors to perform steps including: passing, by the input module, the first input packet to the system firewall following the second return command.

20. The computer system of claim 17 , wherein selecting the first rule chain of the segmentation firewall comprises: determining a packet type of the first input packet; and selecting the first rule chain from a set of selectable rule chains based on the packet type.